Skip to content

I4cTime/quantum_ring

v0.10.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

ai-agents claude-code cursor keyring mcp mcp-server
+2 more
secrets-management security

Affected surfaces

auth rce_ssrf crypto_tls

Summary

AI summary

Approval HMAC now covers workspace and sessionId, rejecting forged bindings.

Full changelog

Highlights

Security

  • Approval HMAC now covers workspace and sessionId; forged/tampered bindings are rejected (new tamper test added).
  • ~/.config/q-ring/ created with mode 0o700.
  • JIT HTTP SSRF fails closed on DNS errors and blocks non-http(s) URLs.
  • Teleport AES-GCM new bundles use a 12-byte IV.
  • Shell hooks switched from exec to execFile with bounded stdout buffer.

Decomposition

  • CLI registration split into nine themed modules under src/cli/commands/.
  • MCP tool registration split into ten focused modules under src/mcp/tools/ plus a shared _shared.ts.

CLI beautification

  • qring --help now renders commands under nine glyph-prefixed sections: Secrets, Project, Quantum, Validation & Rotation, Dev Tooling, Audit & Health, Hooks, Agent Memory, Security & Governance.

Docs

  • docs/cli-mcp-parity.md — full CLI ↔ MCP command/tool mapping with shared-behavior notes.

Tests

  • 164 tests across 24 files (added keyring-lifecycle.test.ts, ssrf-jit.test.ts, workspace/session tamper coverage in approval.test.ts).

Installation

npm install -g @i4ctime/q-ring
# or
pnpm add -g @i4ctime/q-ring
# or (Homebrew)
brew install i4ctime/tap/qring

Full changelog: https://github.com/I4cTime/quantum_ring/blob/main/CHANGELOG.md

Security Fixes

  • Approval HMAC expanded to include workspace and sessionId fields, rejecting tampered bindings
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track I4cTime/quantum_ring

Get notified when new releases ship.

Sign up free

About I4cTime/quantum_ring

Quantum-inspired keyring for AI coding agents. Secure secrets with superposition, entanglement, tunneling, and teleportation.

All releases →

Related context

Beta — feedback welcome: [email protected]